I am currently building a mobile application using RhoMobile. The application will simply be calling a bunch of REST web services. The back-end REST services are written in Java + Spring. I was wondering what the security considerations are. Our requirements are very simple, we need a secure way for a user to log in with the application, and only then be able to call the web services.
Does anyone have any experience with marrying these technologies. And what are my options. At the moment I am looking at either using Spring Security or Shiro, but just wondering if anyone has better experience.
Just as a note, we will be using JSON for all communication.
I have my backend web server running a Ruby On Rails application.
I communicate using JSON and HTTP Basic Authentication. In this type of authentication it is needed only to pass a header with the user name and the password encoded.
It is not the best way to achieve security, because if someone is monitoring your network traffic he could discover your credentials, but it could be a simple solution.
Related
I am planning an application that will have a web front end (maybe ember) but I want to keep my options open for a native desktop application and/or an android application. I would like the all of the backend logic to be exposed as a RESTful service. The problem that arises in my mind is about user authentication. Since a RESTful service can't keep state on the server, I would need to keep it on the client in javascript. However this is wildly insecure do to the fact that users have the ability to edit the javascript data. What is the correct way to make a client side application communicate with a RESTful backend? I realize that I could just store state on the server anyways(inside the session object), but i would like to follow the REST paradigm. What is the de facto solution for this problem? Thanks in advance.
We are currently working on a project which includes Mobile Apps and a front-end website. The backend server has already been built and running as Java Application under Tomat, which support all the APIs.
I am wondering, if a front-end website could be built under same domain or across domain, and calling the same APIs from the backend server? like what Mobile App does?
By the way, all the front-end does not need to communicate with database, the data will be retrieved through server APIs.
I only done mobile apps, and a web greener, if there is anything misunderstanding, please comment, thanks:)
Update
Is it possible to use WordPress or Drupal to build this front-end website? or should I built myself with pure html?
I am wondering, if a front-end website could be built under same domain or across domain, and calling the same APIs from the backend server? like what Mobile App does?
Short answer: Yes.
Slightly longer answer:
Provided that the front-end web pages don't include or generate any URLs that refer to the backend site, there should be no cross-site issues. If possible, this is the architecture you should aim for.
If you do need the front-end web pages to include backend URLs1, then there are ways to deal with this ... is the user's web browser supports the relevant technologies; e.g. CORS.
1 - ... and the browser needs to be able to resolve / fetch them.
If the backend is exposed as webservices, a front end webapp can call those services via ajax if they are in the same domain. If they are cross domain, it gets a little trickier because of the Same Origin Policy (there are techniques like JSONP and CORS to help with that).
I need some suggestions on how to secure REST APIs and web based internal system using a single authentication system.
I am looking into the possibility of using:
oAuth 2.0
JA-SIG CAS
Custom Implementation (implement two separate APIs)
To secure REST APIs and redirect calls to specific API instance
To authenticate web application users.
I assume you have a UI for your webapp and want to share your identity between your webapp and your web service.
You can achieve that by :
"cassifying" your webapp (For example : https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml)
proxifying your calls from your webapp to your web service (https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough).
Here are a few suggestions in how to secure REST APIs. They are related to iPhones but they are generally applicable to client/server REST API implementations. Without more information I don't know how applicable they are, but they might help you out a bit:
Security When Using REST API in an iPhone Application
https://stackoverflow.com/questions/15390354/api-key-alternative/15390892#15390892
Here is the background of my situation:
I want to create an iPad application that interacts with a oracle SQL database. I have existing Java code from my Flex application that handles all the database requests, and modifications using the Spring Framework. The Flex Application ran as a web service through TomCat. Now I want to make that flex application into a mobile iPad version. I am having trouble figuring out what is the easiest way to use existing Java code and use it for the iPad because the iPad interacts using URL requests instead of direct with the Java.
My question is, can I use the existing Java code with the Spring framework to save time from coding all the back-end handling? Basically I want to access all the classes from my Java code by doing Requests from the iPad. Is this possible and will I need JSON or XML to interact between the iPad and the Java code?
Summary:
Can I use
iPad Objective-C <-----> Java (with spring framework) on TomCat Web Service to handle oracle SQL data handeling? If so, how and what technologies do I need? Will I need JSON or XML and how does that factor between the iPad and Java?
Thanks!
A good approach would be to design your app to communicate with RESTful services that return JSON. Once this is done your iPad app doesn't have to even know that the server code is written in Java.. it's just interacting over HTTP.
Here's a good tutorial on setting up your tomcat to host your RESTful services: http://www.vogella.com/articles/REST/article.html - I've used this for an app I'm developing. Spring isn't even necessary.
You could go XML, but JSON is just easier in my opinion. Here's a good blog outlining the good and bad of both sides. http://digitalbazaar.com/2010/11/22/json-vs-xml/
OK, I'm making the following presumptions.
Your flex application runs on a different machine from the Tomcat
server
Your flex application makes web service calls to the Tomcat server
So, the flex application doesn't know the underlying technology that provides the web services. It's just seeing/consuming the output
There's no reason why the iPad app can't do the same thing. There's no reason why it can't use the same web services that the Flex application uses. It could consume the same messages (Assuming it can handle the request/response format currently employed by the Flex application).
You can make changes if you like if you want to change the structure of the requests/responses between the clients. But the clients don't know (nor care) how the web services are implemented. They are just requesting and consuming info.
We are currently evaluating building a new web-application which consists of the following technology:
Back-end:
ee6 jax-rs restful web service
Front-end:
html5 UI using backbone.js (and various other libraries)
The question is, what is the best way to implement a secure session? Limitations are we cannot use oAuth (due to legacy login service we will be consuming). We need a financial industry level of security.
We are thinking about using HTTPS basic authentication with the rest server (back-end), and use backbone.js's session to elegantly handle the front end.
What are the security implications of adopting this strategy?
When you approach security issues, you must remember that your security is as strong as your weakest link. I hope you fully realize you need to secure all your communication, and not just the login.
Also, what key length are you going to use? 128bit?
I would recommend you to check about SPEGNO .. I think this might assist you.